mateothegreat
2/2/2018 - 12:48 PM

Kubernetes RBAC

RBAC on Google Container Engine (GKE)

Error from server (Forbidden): error when creating 
"manifests/prometheus-operator/prometheus-operator-cluster-role.yaml": 
clusterroles.rbac.authorization.k8s.io "prometheus-operator" is forbidden: attempt to grant extra privileges:
<....>
# get current google identity
$ gcloud info | grep Account
Account: [myname@example.org]

# grant cluster-admin to your current identity
$ kubectl create clusterrolebinding myname-cluster-admin-binding --clusterrole=cluster-admin --user=matthew@streaming-platform.com
Clusterrolebinding "myname-cluster-admin-binding" created

# Bad
kubectl create clusterrolebinding --user system:serviceaccount:kube-system:default kube-system-cluster-admin --clusterrole cluster-admin

kubectl create clusterrolebinding myname-cluster-admin-binding --clusterrole=cluster-admin --user=matthew@streaming-platform.com

kubectl create clusterrolebinding protonmail-cluster-admin-binding --clusterrole=cluster-admin --user=yomateo@protonmail.com

kubectl create clusterrolebinding add-on-cluster-admin --clusterrole=cluster-admin --serviceaccount=kube-system:default

kubectl create clusterrolebinding cluster-admin-binding --clusterrole=cluster-admin --user=$(gcloud info | grep Account | cut -d '[' -f 2 | cut -d ']' -f 1)